内容 - 安全 - 元音标头无法正常工作
我正在尝试使用标头使CSP工作,我将CSP配置设置为Axios标题(不确定这是正确的方法!)。
{
"Content-Security-Policy": "script-src-attr 'self';"
}
它仅在使用html meta时起作用,并且我需要使用标题来工作。
<meta
http-equiv="Content-Security-Policy"
content="script-src-attr 'self';"
/>
我如何使标头作为元标记工作?
I'm trying to make CSP to work using headers, I'm setting the CSP config to Axios headers (not sure if this is the correct way!).
{
"Content-Security-Policy": "script-src-attr 'self';"
}
It only works when using HTML meta and I need it to work using headers.
<meta
http-equiv="Content-Security-Policy"
content="script-src-attr 'self';"
/>
How can I get headers to work as meta tags?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
CSP无法在Axios上工作的原因是因为它应该在后端API标头上,不在前端请求上。
后端API应该发送
另一种方法是将元添加到HTML。
如果您仅在网站或应用程序的前端实现CSP规则,则可以帮助防止某些类型的攻击,例如内联脚本注射或未经授权的内容从外部来源加载。但是,重要的是要记住,CSP不是Web应用程序安全的完整解决方案。
仅在前端实现CSP的潜在缺点是,如果攻击者能够在后端API中找到漏洞,则可以绕过它。例如,如果您的API允许用户提交随后在前端显示的任意HTML内容,则攻击者可以在该内容中注入恶意代码并绕过CSP限制。
The reason why CSP isn't working on Axios is because it should be on the backend API header, not on the frontend requests.
Backend API should be sending
An alternative way is by adding meta to HTML.
If you implement CSP rules only on the frontend of your website or application, it can help protect against certain types of attacks, such as inline script injections or unauthorized content loading from external sources. However, it's important to keep in mind that CSP is not a complete solution to web application security.
One potential drawback of implementing CSP only on the frontend is that it can be bypassed if an attacker is able to find a vulnerability in your backend API. For example, if your API allows a user to submit arbitrary HTML content that is later displayed on the frontend, an attacker could inject malicious code in that content and bypass the CSP restrictions.